I am writing this from a battlefield. That is not a hyperbole or even metaphor. I am standing on Seminary Ridge where the Union lines stood during Pickett’s Charge, the decisive battle that won the Battle of Gettysburg for the Union and provided the North the strategic position it needed to win the Civil War.
Here’s the backstory. A few months ago, my sordid political past caught up to me when I was nominated and selected to attend the National Security Seminar at the United States Army War College. It was an honor to be selected to discuss the role of cyber, cybersecurity, and privacy in the four pillars of National Defense (Diplomatic, Informational, Military, and Economic) with Senior Government Officials, Generals, and other senior officers from all US Military Branches as well as senior military leadership from allied nations. Part of the exercise involved a battlefield tour of Gettysburg with a retired Colonel who is currently a very well-respected professor of military history and doctrine. What ensued, I believe, is the most intense crash course in leading in adversarial environments I have ever experienced; one that was a welcome shock to my system as a self-professed dove among hawks.
Quick note: The program is not secret per say, but it does operate with a strict non-attribution policy. As such, I won’t attribute any comments, but instead offer my take-aways from the exercise. All opinions are strictly my own, and any interpretations of the historical content or conclusions drawn belong solely to me.
The Battlefield and Cybersecurity
I freely admit that I am not a proponent of cyberspace as a warfare domain. Indeed, my master’s degree thesis argued for treating cyberspace as a shared ‘common’ in which weapons often backfire (see the reemergence of components of Stuxnet, Duqu, and Flame). My opinion of this hasn’t changed. However, I am just one unimportant individual, and criminals and advanced persistent threats do not much care for my thoughts in this area.
What is clear is that cybersecurity and privacy staff often meet enemies, be they crooks or even nation states, in cyberspace, and conduct defensive operations to secure their organizations from loss of confidentiality, integrity, availability, and ownership of organizational data and assets. So, while I do not believe that war in cyberspace is appropriate at all, I cannot deny that cyber and privacy staff are often called on to be a class of citizen soldier and police officer. Because of the potential to deal frequently with adversarial situations, I think the following observations regarding troop leadership on the battlefield are warranted for leading corporate cybersecurity, privacy, and incident response personnel.
Have Firm Boundaries, With Flexible Responses
On the second day of the battle of Gettysburg the 20th Maine Volunteer Infantry Regiment was put in the unenviable position of defending the left flank of the Union Army at all costs at Little Round Top, a rocky and heavily forested area on which the Confederate Soldiers wished to place artillery. Though Col. Albert Aims remained in place as ordered, he sent into the forest a company to respond to the battle at the discretion of that company’s commander. The Regiment was overwhelmed by confederate soldiers, and as the battered 20th Maine fixed bayonets for a last desperate charge, the detached company, who also picked up a group of straggling sharp shooters, emerged from the forest, surprising and confusing the Confederacy, resulting in one of the most storied victories of the war.
I think there are a lot of good lessons in this anecdote about defending our organizational barriers. In cybersecurity, we tend to build a lot of firm barriers (firewalls, VPNs, VLANS and Subnets to name a few), and they are absolutely some of the most important assets to organizational cybersecurity. But we should also equally prioritize the role of the analyst in the battle to secure these borders. Our barriers will be much more effective if we give security analysts and response teams latitude to conduct operations to better understand and engage threats. I don’t advocate for hacking-back unless you are coordinating with law enforcement of federal powers, but there are less extreme active defenses such as honey pots, honey ports, and packet tracing that give security personnel a better understanding of the threat, and better ability to reroute and confuse the threat.
Trust Your People Over Your Metrics
After the Confederates were repelled at Little Round Top, Confederate General Lee ordered a multi-faceted attack on the Union’s main positions to support a twelve-thousand-man strong charge at the central Union line that is now known as Pickett’s Charge. One attack was a massive, two-hour long artillery bombardment of the Union artillery to render them ineffective to fire back at Pickett’s charging men. General Lee’s chief metric for the success of the attack was the reduction of the number of cannons firing back.
On the Union side Henry J. Hunt, the General in charge of the Union Artillery, understood that his main objective was to maintain the artillery to support the troops for the subsequent charge of the Confederate Army. He removed his cannons from seminary ridge and the Union artillery gradually went silent; not an easily understood move for the poor infantry men who had to remain in place during the bombardments without suppressing fire.
The confederate troops, thinking the Union artillery destroyed, advanced over twelve thousand men against the Unions central line. The result was a shameful loss of life, and a decisive defeat for the confederate forces, as the unmolested Union artillery fired on their advancing lines.
Here too are many solid lessons we can observe from the battle. We have a tendency to want to measure effectiveness of systems and controls we put in place to stop threats from invading our protected areas. We ask ourselves before incidents what a successful defense and recovery looks like, and then try to measure against that. But as the Union’s artillery in Pickett’s charge indicates, your metrics, though sensible, may lead you into disaster if you are not careful. Rely on your security personnel to investigate and trust their gut.
Here is an example scenario. One of the most tempting, and most used metrics, is the simple count of attacks be it number of cannons firing or the number of attacking source IPs. A low or non-existent count of attacks may indicate that the attacker has stopped, or it may indicate that the attack was successful, and the attacker is now moving laterally through your network by other means.
Additionally, do not rely on metrics concerned with the efficiency of tools in the security space. Such metrics are geared toward product management and budgeting. Your firewall capacities and SIEM bandwidth limits are not indicative of your capability to fend off attacks. A more able indicator is the capability and experience of the security personnel who man your tools and conduct the response operations. The human element is the most important part of your program, treat them as such!
Consult Your Security Personnel
I was struck by the differences in the management style of the Confederate General Robert E. Lee and the Union General George Meade. General Meade seemed to be a pragmatic leader, focused on moral and unity. He held ‘Councils of War’ every night in which his senior leaders voted as to whether the army should attack, defend, or retreat. Robert E. Lee, on the other hand, seemed to pursue unilateral decisions, in one case publicly disagreeing with his close friend and second in command. While his successes quickly earned Lee a reputation as a military savant, it was Meade’s unifying command that won the battle.
I will admit to being struck by the number of individuals I have met in the corporate world that do not listen to the experts they employ to advise them. I have analyzed many breaches, and one consistent issue present in most of the major breaches is a leader’s refusal to listen to the concerns of the personnel they hired to advise them. You will find this in almost every investigation of major breaches. Remember, even when the leader is an expert in the field, it is generally harder for a group to be wrong than an individual to consistently be correct.